AdaptiveMobile Security has detected unusual activity over messaging and signalling bearers of specific customers which it says is part of a new spyware attack. Called ‘Simjacker’ it has revealed locations and IMEI numbers to attacks without letting the phone’s owner know, says the firm’s TIU team.
The firm believes this vulnerability has been exploited well by an organized group of hackers at least for the past two years. Subsequent, deeper investigation revealed a vulnerability that allowed almost every single mobile device in affected operators to be open to manipulation.
How the attack worked
In a report, the firm revealed that the attack involves a SMS containing a specific type of spyware-like code being sent to a mobile phone, which then instructs the SIM Card within the phone to ‘take over’ the mobile phone to retrieve and perform sensitive commands. The attacks exploit the ability to send SIM Toolkit Messages and the presence of the S@T Browser on the SIM card of vulnerable subscribers. The attack messages use the S@T Browser functionality to trigger proactive commands that are sent to the handset. The responses to these commands are sent back from the handset to the SIM card and stored there temporally. Once the relevant information is retrieved from the handset, another proactive command is sent to the handset to send an SMS out with the information.
AMS correlated the Simjacker sources with known malicious threat actors and discovered that the source is a large professional surveillance company, with very sophisticated abilities in both signalling and handsets. These types of companies exploit the fact that some mobile operators may incorrectly regard core network security as solved if they deploy a standard GSMA ‘compliant’ firewall.
Over 1 Billion probably impacted
AdaptiveMobile Security research indicates that the Simjacker vulnerability could extend to over 1 billion mobile phone users globally, potentially impacting countries in the Americas, Africa, Europe, the Middle East and indeed any region of the world where this SIM card technology is in use. The issue is that in affected operators, the SIM cards do not check the origin of messages that use the S@T Browser, and SIMs allow data download via SMS. Other types of attacks are also possible using the S@T Browser, including: location tracking, fraud, denial of service, malware spreading and call interception.